SynopsisThe remote SUSE host is missing one or more security updates.
DescriptionThe remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2953-1 advisory.
- Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. (CVE-2021-22930)
- Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. (CVE-2021-22931)
- If the Node.js https API was used incorrectly and undefined was in passed for the rejectUnauthorized parameter, no error was returned and connections to servers with an expired certificate would have been accepted. (CVE-2021-22939)
- A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. (CVE-2021-3672)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpdate the affected nodejs10, nodejs10-devel, nodejs10-docs and / or npm10 packages.
File Name: suse_SU-2021-2953-1.nasl
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CPE: p-cpe:/a:novell:suse_linux:nodejs10, p-cpe:/a:novell:suse_linux:nodejs10-devel, p-cpe:/a:novell:suse_linux:nodejs10-docs, p-cpe:/a:novell:suse_linux:npm10, cpe:/o:novell:suse_linux:15
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 9/3/2021
Vulnerability Publication Date: 8/11/2021